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ABSTRACT 


Computer communications are becoming increasingly important in the 
command, control] and communications community. Using models to verify 
that the communication protocols used by these computers function 
properly is a time and effort saving device. A model called systems of 
communicating machines combines two types of models, finite state 
machines and programming language models. 

In this thesis systems of communicating machines \s used to specify and 
analyze the IEEE token ring protocol. The specification makes several 
Simplifying assumptions about the protocol in order to make the analysis 
manageable. These simplifications include limiting the network to two 
machines and shortening the frame and token formats to reduce the number 
of transmissions on the network. This thesis exercises the resulting 
specification to botn verify tnat the protocol wont fail and that the 
specification is correct. The type of analysis used in this thesis is called a 
reachability analysis or a system state analysis. 

This specification and analysis of the IEEE token ring protocol proves the 
protocol wont fail for a two machine network. This thesis also proves that 
the specification of the protocol is correct. 
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|. INTRODUCTION 


A. FORMAL MODELING OF PROTOCOLS 

A protocol is a set of rules and procedures used by different computers 
to communicate with each other. The protocols are implemented on the 
computers in a network as a set of common software. The purpose of a 
protocol is to establish a common set of rules and procedures to allow 
different computers to communicate. Protocols are designed in layers, with 
the bottom layer being the interface with the communications medium and 
the top layer being the user application. The number of layers in between 
depends on the design of a particular system and which standard (if any) it 
follows. 

Each layer of a communications protocol is designed to accomplish 
specific tasks. These tasks range from transmitting bits on the 
communication medium and reading bits from the medium to breaking files 
destined for transfer into packets and formatting those packets into frames 
that will be recognizable to the receiving machine. The design and 
implementation of a large protocol suite can be a very complicated task; it 
is not always easy to understand how all the pieces fit together. This 
complexity makes the testing and verification of anew protocol difficult. 
Testing a new protocol design can also be very expensive; not only is 
computer time a valuable resource, but many potential failures can take 
days to occur. 

Due to the complexity and expense of testing new protocols, systems 
designers turned to modeling the software to find potential problems. Many 


methods for modeling computer networks have been developed: Petri nets, 
finite state machines, programming languages and hybrid models. Analysts 
use one or more of these models to specify a network as completely as 
possible and then run the model to test for possible system failures. These 
failures fall into two general categories: safety errors and progress errors. 
A safety error occurs when the protocol fails and communication ceases. 
Examples of safety errors include deadlock (a system state from which 
there is no exit) and livelock (an infinite loop of a small number of system 
States). A progress error occurs when one or more stations in the network 
is unable to participate in the communication activity. An example of a 
progress error is starvation (where one or more stations in the network 
never get a chance to transmit information). These models can help identify 
these potential failure conditions. They can also be used to prove the 
functional correctness of a particular protocol, assuming the model is 
accurate. For these reasons, much time and research effort has gone into 


the search for new, easier to use models. 


B. THE TOKEN RING PROTOCOL 

A local area network (LAN) is designed to connect computers in a small 
geographic area, such as an office, building, or several buildings. These 
networks typically use microcomputers as workstations to share a 
minicomputer or mainframe among many users. The microcomputers also 
Stand alone and enable their users to perform other computing functions 
without tying up the main computer. A typical use would be to run user 
applications requiring a lot of computational power and speed on the 
mainframe computer and use the microcomputers for electronic mail, 


running programs remotely on the mainframe, etc. LANs also allow the 
users to share other expensive resources, such as a graphics printer. 

The token ring network is a LAN. The computers on the network are 
connected serially in a ring configuration. Each computer has an upstream 
neighbor and a downstream neighbor. (See Figure 1). Data flows around the 
ring in one direction only. A computer receives data from its upstream 


neighbor and forwards data to its downstream neighbor. At any 
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All stations are active except B (b illustrated in bypass mode) 


Figure 1: Token Ring Configuration 


one time, only one computer is transmitting new data on the ring. All other 
computers are only repeating the transmitted data (and some are copying 
the data into buffers as they repeat it on the ring). 

A unique pattern of bits, called a token, is continuously circulated on the 


ring. When a station wants to transmit, it must wait until it gets the token. 


When it gets the token, it removes the token from the ring (So no one else 
can transmit) and transmits its data. Every station on the ring has a timer 
to prevent it from holding the token too long (and thus monopolizing the 
ring). When a station has completed transmitting, it waits for the message 
to return and then removes it. The station then generates and transmits a 
new token on the ring. In this manner, the token propagates around the ring 
and every station gets a chance to transmit eventually. 

In 1985, the Institute of Electrical and Electronic Engineers (IEEE) and 
the American National Standards Institute (ANSI) issued the 802 group of 
Standards. These standards defined the requirements for three types of 
LANs: the Carrier Sense Multiple Access with Collision Detect (CSMA/CD), 
the token passing bus, and the token ring. The purpose of these standards is 
to ensure uniformity among various LANs of the same type and allow users 
to buy equipment from different vendors and know it will follow the rules. 
These standards will also make it possible to connect different networks of 
the same type with a minimum amount of effort. The standard for the 
physical and medium access control layers of the token ring network, which 
is the basis for this thesis, is ANSI/IEEE Standard 802.5- 1985. 


C. SYSTEMS OF COMMUNICATING MACHINES 

One model used to specify and analyze communication protocols is 
called systems of communicating machines. This model has been used to 
specify several types of network protocols, such as CSMA/CD, High-Level 
Data Link Control] (HDLC) and various routing protocols. It also has been 
used to specify a simplified version of the token ring protocol. Section Il 
contains a detailed description of this model and the simplifying 
assumptions that were used to apply it to the token ring network. 


4 


Systems of communicating machines uses a combination of finite state 
machines and variables to model the token ring protocol. Each 
communicating machine is in one of several possible states and has local 
variables. In any particular state, one or more actions is possible. These 
actions may or may not lead to a state transition, and they may or may not 
change the values of some variables. Which actions are allowed depends on 
the values of the local and global variables and the current state of the 
communicating machine. All transitions and actions are instantaneous; 
once a transition is enabled, it may occur at any time. Communication 
between machines is accomplished through shared variables. Machines read 
and write these shared variaDles to communicate. Each communicating 
machine will have its own local state; the set of all local states in a 
network is either a system or a global state. 


I}. THE SYSTEMS OF COMMUNICATING MACHINES MODEL 


This chapter formally defines the systems of communicating machines 
model used to specify communication protocols. The first two sections of 
this chapter briefly describe the two modeling techniques, finite state 
machines and programming language models, which form the basis for the 
systems of communicating machines model. The third section gives the 
formal definition of the general model; the adaptation of this model used to 
specify the token ring protocol will be described in Chapter IV. 


A. COMMUNICATING FINITE STATE MACHINES 

One method of modelling communication protocols is with 
communicating finite state machines. In this model, each process is 
modelled as a finite state machine and implicit queues are used for 
communication. Global states are used to define every possible condition of 
the network. A global state consists of the state of every process in the 
network and the contents of the queues. Transitions are enabled by various 
combinations of the contents of the queues, and thus machines in the 
network transition from state to state, possibly changing the contents of 
the queues when they transition. 

Communicating finite state machines are primarily used to perform a 
reachability analysis. This analysis consists of exercising the model until 
every possible state has been generated from the starting state. This type 


Of analysis is useful for predicting deadlocks in the network and 
documenting the events leading to a deadlock. 

The chief disadvantage of using communicating finite state machines for 
this analysis is the so-called “state explosion’. Even if the queue lengths 
are finite (which is not required in the pure finite state machine model), 
modern protocols are so complex that the number of states generated with 
this model can be unmanageable. [Ref. 1] 


B. PROGRAMMING LANGUAGE MODELS 

Programming language models of communication protocols have the 
advantage of being more flexible and robust than finite state machines. 
However, programming language models are also much more complex than 
finite state machines. Several programming languages have been developed 
or adapted for the purpose of modelling protocols. These languages include 
CSP, Ada, and LOTOS. While each language has features to aid in this 
analysis, the programming task can be very formidable if the protocol to be 


modelled is large and complex. [Ref. 1] 


C. SYSTEMS OF COMMUNICATING MACHINES 

The systems of communicating machines model is an attempt to combine 
the best features of the finite state machine model with some features 
from the programming language model. The resulting model uses finite 
State machines, but it uses local variables to reduce the number of machine 
States. It also uses shared variables instead of queues for communicating. 


The following formal definition of systems of communicating machines 
is quoted from [Ref. 2] and is reprinted here for the reader's convenience. 
A system of communicating machines is an ordered pair 
C =(M,V), where 
M= (m , Moy on m,} 
is a finite set of machines, and 


Vz (v,, Von on VJ 
is a finite set of shared variables, with two designated subsets R; and Wi, 
Specified for each machine m The subset R, of V is called the set of read 


access variables for machine m Fe and the subset W the set of write access 


Variables for m ; 


Each machine m,e€ Mis defined by a tuple (5, 5,L,,N, T), where 

(1) oj Is a finite set of states; 

(2) Ss 3; is a designated state called the /nitia/ state of mM; 

(3) L,is a finite set of local variables, 

(4) N, is a finite set of names, each of which is associated with a 
unique pair (p, a), where p is a predicate on the variables of L, U R, 
and a is an action on the variables of L, U R, U W. opecifically, an 


action is a partial function 
a:b xR, ===) Lx Wi 
from the values contained in the local variables and read access 
variables to the values of the local variables and write access 
variables. 
(5) T. F Xx N, ---) S; is a transition function, which is a partial 


function from the states and names of m, to the states of m i 


Machines model the entities, which in a protocol system are processes 


and channels. The shared variables are the means of communication 


between the machines. Intuitively, R, and W, are the subsets of V to which 


mM, has read and write access, respectively. A machine is allowed to make a 


transition from one state to another when the predicate associated with the 
name for that transition is true. Upon taking the transition, the action 
associated with that name is executed. The action changes the values of 
local and/or shared variables, thus allowing other predicates to become 
true. 


The set L, of local variables specifies a name and a range for each. The 


range must be a finite or countable set of values. 
A system state tuple is a tuple of all machine states. That is, if (M, V) 


is a system of nm communicating machines, and $ for 1 < /< +n, is the state 


of machine m, then the nm-tuple (s pp Soro S,) is the system state tuple of 


(M, V). A system state is a system state tuple, plus the outgoing 
transitions which are enabled. That is, two system states are equivalent if 
every machine is in the same state, and the same outgoing transitions are 
enabled. The initial system state is the system state such that every 
machine is in its initial state, and the outgoing transitions are the same as 
in the initial global state. 

The global] state of a system consists of the system state, plus the 
values of all variables, both local and shared. It may be written as a larger 
tuple, combining the system state with the values of the variables. The 
initial global state is the initial system state, with the additional 


requirement that all variables have their initial values. A global state 
corresponds to a system state if every machine is in the same state, and the 
same outgoing transitions are enabled. That is, a global state consists of a 
tuple of machine states, plus the values of all variables. A system state 
with the same tuple of machine states as the global state and the same 
enabled outgoing transitions is the corresponding system state. 


Let US ,, n) = $5 be a transition which is defined on machine mM 


Transition 2 is enabled if the enabling predicate p, associated with name n, 


is true. Transition tr may be executed whenever m, is in state S, and the 


predicate p is true (enabled). The execution of 1 is an atomic action, in 
which both the state change and the action a associated with h occur 
Simultaneously. 

Note that if the values of all variables are restricted to some finite 
range, then the model can theoretically be reduced to a simple finite state 
machine. Otherwise, an infinite number of global states are possible. 
However, even if the number of global states is infinite, the number of 
system states is finite, because of the finiteness of each machine. This 
may allow areachability analysis on the system states, when a reachability 
analysis on the global states is infinite. Even when the values of al! 
variables are of a finite range, the number of global states in the equivalent 


FSM system may be so large as to be intractable. [Ref. 2] 


lil. THE IEEE TOKEN RING PROTOCOL 


This chapter gives a brief overview of how a token ring LAN operates. 
The discussion is based on [Ref. 3] and therefore does not pertain to any 
particular implementation of the token ring protocol. Section A explains 
the physical layout of the network. Section B describes the formats of the 
frames and tokens that are circulated on the ring. Section C concludes this 
chapter with a description of now the token ring operates. For a more 
detailed explanation of the token ring protocol, see [Ref. 3]. 


A. TOPOLOGY 

A token ring LAN is configured in aring. Transmission 1s point to point, 
in one direction only. Most token rings use centrally located switching 
centers to accomplish the ring connections, and each station on the ring has 
its own Cable connection to the switching center. When a particular station 
wants to connect to the ring, it sends a signal to the switching center. The 
Switching center activates arelay that inserts the station into the ring; as 
long as the signal from the station is present, the relay remains energized 
and the station is connected to the ring. When an error is detected by either 
the switching center itself or the station, the relay is de-energized and the 
Station is placed in the bypass mode. This scheme is very flexible; as long 
as there are connections available in the switching center, new stations can 
be added to the ring. The switching centers can also be connected to each 
other, allowing more room for expansion. The maximum size of a token ring 


network is 250 stations, which is determined by timing and data rate 


considerations beyond the scope of this thesis. 


B. FORMATS 

The token ring network uses a form of encoding known as differential 
Manchester. This encoding scheme allows timing information to be implicit 
in the data signal. It also allows two symbols to be defined which are not 
data symbols. These unique symbols, called J and K, are used in both the 
token and the frame starting and ending delimiters. If these unique symbols 
occur anywhere else in a frame, an error has occurred and the network 
accomplishes recovery procedures. 

The token format is 
[SD, AC, ED]. 
The frame format is 
[SD, AC FEaDA, SAsINEO. FCS Epub 

SD is the starting delimiter and consists of J, K, and O symbols. AC is the 
access control field. A token bit in this field lets a receiving station know 
if it is processing a token or a frame; if it is a token, the receiving station 
may change the token bit to denote a token and begin transmitting its 
messages. The ED field is the ending delimiter and consists of J, K, and | 
symbols. The FC field in a frame is the frame control field and identifies 
the type of frame. The DA and SA fields are the destination and source 
addresses for this frame. The INFO field is the information field and is 
optional; i.e., a control frame does not need to contain an information field, 
but a data message will obviously contain information. The FCS field is the 
frame check sequence used for error detection. The FS field is the frame 
Status field used by the receiver to acknowledge reception of a message. 
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For amore detailed explanation of these fields and their formats, 
see (Ref. 3]. 


C. OPERATION 

When a station on the ring wants to transmit a frame, it must first seize 
the token. When the station detects a usable token, i.e., a token with a 
priority that is equal to or lower than the priority of the frame the station 
wants to transmit, it sets the token bit to indicate a frame is next. Setting 
the token bit changes the token to a frame; the station has now “seized” the 
token. Now no other station can transmit new information onto the ring. 
The station proceeds to transmit its frame(s) until it is done or its 
maximum allowable time to hold the token expires (this time limit is 
determined by the network managers). The station then transmits an 
end-of-frame sequence and transmits fill (all zeroes) while it waits for the 
last frame transmitted to go full cycle and return. When this last frame is 
received, the station generates a new token and transmits it on the ring, 
allowing the next station an opportunity to transmit. 

Every station is responsible for removing all messages it originates from 
the ring. This is necessary to ensure old frames do not circulate forever on 
the ring. While a station is waiting for its last transmitted frame to 
return, it is also stripping all its previous messages from the ring and 
replacing them with fill. The last field in a frame is used by the 
destination to acknowledge receipt of a frame. Two bits are used to 
indicate whether a station recognized its own address in the frame header 
and whether or not that station copied the frame into its buffers. These 
bits let the sending station know the result of its transmission. 


On every token ring, one station assumes the role of active monitor; 
every other station on the ring is automatically a standby monitor. The 
active monitor is responsible for maintaining the ring in proper operating 
condition. it checks and corrects the signal timing to keep all stations 
synchronized. The active monitor checks to see that a token is always 
present on the ring. It monitors frames that pass to make sure they are 
new, not leftover frames that some station didn't remove. The active 
monitor also lets the other stations on the ring Know that an active monitor 
Is present by broadcasting a special control frame periodically. The active 
monitor uses timers to monitor these conditions; the timers are reset when 
certain conditions are met (such as a valid token going by). If an error is 
detected, the active monitor takes corrective actions. Every station on the 
ring that is not the active monitor is a standby monitor. If a standby 
monitor believes there is no active monitor present on the ring (because of 
the absence of the control frames), it will assume the role of active 
monitor. In this way, the token ring network is self-monitoring. For amore 
detailed description of the active monitor and its functions, see [Ref. 3]. 


IV. SPECIFICATION OF THE TOKEN RING PROTOCOL 


This chapter explains how systems of communicating machines can be 
used to specify and analyze the token ring protocol that is stated in [Ref. 3]. 
The general model is explained in Chapter |! of this thesis; this chapter 
describes the specific adaptation of the model to specify the token ring 
protocol. Section A explains the assumptions used to simplify the protocol 
to make the model more manageable. Section B describes the formats of the 
tokens and frames which are transmitted by the stations in the model. 
section C explains how the model is structured and how it works. The 
explanation includes a picture of the finite state machine part of the model, 
a description of the local and shared variables used by the communicating 
machines, and a transition name/action table to describe the various states 
and transitions between them. 


A. SIMPLIFICATIONS OF THE PROTOCOL 

The model systems of communicating machines can be used to model the 
token ring protocol. In (Ref. 2], this model has been adapted to specify the 
token ring protocol. In order to keep the specification down to a reasonable 
size, several simplifications were made to the protocol. These 
simplifications were: (from [Ref.2]) 

1. No attempt is made to model the timing. It is assumed that 

transitions which are enabled will occur, eventually. 


2. The input and output buffers (that is, the shared variables) of the 
entire network have the capacity to hold the largest frame transmitted on 
the ring. This means that when a station transmits a frame, it may 
transmit the entire message before checking its input buffers for the first 
part of the message. 

3. Only one frame is transmitted before giving up the token. In the 
[EEE standard, a station may send as many frames as it can before the 
expiration of THT, the token holding timer. For purposes of brevity, in this 
section the limit is one message. 

4. No errors in transmission. In the standard, much of the complexity 
of the protocol goes into handling errors. 

2. All messages have equal priority. The standard protocol allows 
eight different priority levels, with an elaborate procedure for raising and 
lowering them. 

6. No active or standby monitors. In the standard token ring, every 
Station contains a monitor for various error checking. [Ref. 2] 

Most of these simplifying assumptions could be relaxed, if a more 
realistic model is desired. However, none of these assumptions 
Significantly changes the function of the protocol and the model is easier to 
analyze using them. 


B. MESSAGES AND FORMATS 

In IEEE Standard 802.5-1985, four different types of units are 
transmitted on the ring: binary 0, binary 1, non-data symbol J and non-data 
symbol K. In the model used to specify the token ring protocol, the units 
transmitted on the ring are characters. This means that each station on the 
ring will transmit and receive a sequence of characters rather than 
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individual bits. The model uses two special characters, ‘U' and'k’, to denote 
the beginning and end of a message, respectively. These special characters 
will not appear in the middle of a message. Two types of messages will be 
transmitted in this model: the token and the frame. The token shall have 
the format 
oak 
and the frame shall have the format 
[J, F, DA, SA, INFO, K, C], 

where the DA and SA fields are both integers indicating the destination and 
source addresses of the frame, INFO is the data being transmitted (and thus 
will be a sequence of characters generated by a higher level protocol), and 
the C field is one bit. The C bit is the “frame copied’ bit and lets the sender 
know whether or not the INFO was copied by the destination station. [Ref. 2] 

The first character of any message is a J, followed by either aT or anF, 
Indicating whether the message is a token or a frame. If the message is a 
token, the next character is ak, ending the message. If the message is a 
frame, the next two characters are integers indicating the destination and 
sending stations, followed by a sequence of characters which are the data 
being transmitted. The message ends with a K and the C bit. The receiver 
uses the C bit to indicate reception of the message to the sender. [Ref. 2] 


C. PROTOCOL SPECIFICATION 

To specify the token ring protocol, a state diagram, an action table and a 
picture of the shared and local variables are used. Figure 2 depicts the 
State machine diagram of the model. Table | contains the action table, and 
Figure 3 shows the shared and local variables. Table 2 contains the 
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Figure 2: State Diagram for the Token Ring Protocol 
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transition names and their meanings; this table is not part of the 
specification but is included to aid the understanding of the 
transitions. [Ref. 2] 

Each edge of the state diagram is labeled with a transition name. The 
enabling predicate and corresponding action which accompany the transition 
appear in Table 1, the action table. Figure 3 contains the shared and local 
variables associated with each station on the ring. The shared variables are 
inbuf and outbuf, while PDU and msgbuf are local to each station. The index 


variables (o, i, m,r, p) are also local variables. In the starting state (0 in 
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Figure 2), all buffer variables (inbuf, outbuf, PDU and msgbuf) are empty, 
with exactly one exception, and all index variables are equal to |. The 
exception to the empty buffers is one shared variable on the ring contains 
the token, [JU, T, K]. The local buffer variable PDU is used by the station to 
queue messages waiting for transmission on the ring. A PDU is a protocol 
data unit, the data block from the higher level protocol on the station. The 
msgbuf local variable is used to queue incoming messages from the ring 
until a higher level protocol is ready to accept them. [Ref. 2] 


TABLE 1: ACTION TABLE FOR THE TOKEN RING PROTOCOL 


transition | enabling predicate action 

rcp sinbuf(2)e{O, J} repeat 

PDU-Q. | PDU(1) #9 = a 
repeal 
mbuf(t)=T repeat 

siubu f(rjc{ AL A, O} repeat 
Vmsgbuf #9 


ed Mla) 
= 1 pom ~ 




















yes inbuf(7) = ALA rcpeat 
Arusgbuf = 9 

or imbuf(r) ff i msgbuf(ur) — inbuf(t); tuc(w); repeat 
beh) = IV repeal 

Ack outbuf(o) — lyinbuf(1) — 9; 1c(o, t) 

15 eae outbuf(o) — Fyinbuf(t) — 9; 2uc(o, 2) 

oulbuf(o,o@1) — (DA, SA); 1uc(o) 

Amat Ute) oulbuf(o) — PDU(7,p); inc(o, p) 
outbuf(o) — Kyinc(o);p — 1 
outbuf(o) — O0;inc(o); 
inbuf(i_) = ALA inbu f(r) — QO; ruc(2) 
true outbuf(o,o® l,o@ 2) — (J, 7, );0 — 0 @3, 
mbuf(i) AK inbuf (i) — 0; ttc(2) 

Oe | = 1 inbuf(1) — @; tuc(t) 








inbuf(i) = 0 | inbuf (2) — 0; 1ue(2) 


tubuf(t) = 1 ainbuf(i) — §;ine(i); PDU(r) & Oy ituc(1) 
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The state diagram of Figure 2 for each machine on the ring can be viewed 
as two distinct parts. In the left side, states 0 - 4, the station has no PDU 


Figure 3: Local and Shared Variables of the Token Ring 


(downstreain) (upstream) 


outbuf 





msgbuf 





queued for transmission, while in the right side, states 5 - 15, the station 
has a PDU ready for transmission. A PDU is queued by a higher level 
protocol; the PDU ts placed in the next available slot in the PDU buffer to 
await transmission. The enabling predicate for the PDU-G transition from 
state 0 to state 5 reflects the result of this action by the higher level 
protocol. A station in state 0 is just repeating incoming characters to its 
downstream neighbor. 

After a PDU is queued and the station has taken the transition to state 5, 


the station continues to repeat incoming characters until it can capture the 
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token and transmit the PDU. In both parts of the state diagram, the station 
must copy any messages addressed to this station into its msgbuf, unless 
the msgbuf is full. If the msgbuf is full, the higher level protocol has not 
yet read the last message received, and the station takes the no transition. 


TABLE 2: MEANINGS OF THE TRANSITION NAMES 


transition | meaning 

rep ‘repeat character to the next station 

a PDU is queued for transmission 
first character of a frame or token 

| second character of a frame 
no, frame not sent to this station 
fiame addressed to this station 





cr copy and repeat character to next station 
ending delimiter for frame or token 












Ack 
N mut 





acknowledgement of fraine 
transmit frame 

end of protocol data umt 
AO GONE transmit end of frame 
rem remove Ist part of frame 


my address 









destination address 







source address 








a ml 


new transmit anew token 









rem2 
remle 
IN7SS 


Ol 


remove 2nd part of frame 
remove the I< 
frame was not received successfully 
frame was received 


This means the station does not receive the message; the sender will know 
because the C bit (the frame copied field) will not be set. [Ref. 2] 

lf a station has a PDU queued and it captures the token, the station 
transitions from state 5 through state 6 to state 7 and transmits the PDU. 
After transmitting the PDU, the station transitions to state 8 and then to 
State 9 by transmitting the ‘kK’ character and the C bit (0). In state 9, the 
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Station waits for the return of its message and strips it off the ring. When 
the station recognizes its own address in the SA field, it transitions to 
State 10 and transmits a new token on the ring. In state 11, the station 
removes the remainder of its message from the ring. In state 12, the 
Station checks the frame copied bit, the C field. If C = 1, the destination 
Station copied the frame and this station can clear the PDU buffer and 
return to state 0 via the OK transition. If C = 0, the destination station did 
not copy the frame, so this station returns to state 5 to retransmit the PDU 
(after recapturing the token, of course). [Ref. 2] 

In the predicate-action table, Table |, the action repeat is the basic act 
of retransmitting (repeating) the incoming character to the downstream 
Station; it consists of the three statements 

outbuf(o) <-- inbuf(i); inbuf(1) <-- 0; inc(o, 1). 
Increment (inc) adds one to each of its arguments using modulo arithmetic 
to simulate a circular counter (i.e., if an argument is at its maximum value, 


it is reset to its minimum value when it is incremented). [Ref. 2] 
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V. ANALYSIS OF THE TOKEN RING PROTOCOL 


This chapter explains the results of using the specification described in 
Chapter IV to analyze the token ring protocol. Section A gives the 
background for the analysis by explaining what a reachability analysis is 
and what the main problems associated with this type of analysis are. 
section B explains the secondary goal of this type of analysis: verifying the 
model. Section B also describes the errors discovered in the specification 
of the token ring protocol. Section C describes what the results of the 
analysis were. The table included in Section C contains the 630 states that 
were generated when the model was run. 


A. TYPE OF ANALYSIS 
As stated in Chapter Il, a system state for the Systems of 
Communicating Machines model is a tuple consisting of the state of every 
machine in the network, plus the enabled outgoing transitions for each 
_machine. A global state for this model is a tuple consisting of the state of 
every machine plus the values of all its variables, both local and shared. It 
is possible for one system state to correspond to several global states; 
that is, two system state tuples may be identical except for having 
different outgoing transitions enabled and therefore having different values 
in one or more variables. 
One method of protocol analysis is called reachability analysis. Once a 
Specification of the protocol has been developed, it can be run (either 


23 


manually or on a computer) until all the possible system states have been 
generated, or reached. These states can then be studied to detect possible 
protocol failures. A reachability analysis is mostly used to detect deadlock 
conditions. A deadlock exists when the system reaches a state from which 
there is no exit; all communication on the network comes to a halt. Other 
failure conditions that can be detected with a reachability analysis include 
Starvation (one or more machines never get a chance to transmit on the 
network) and livelock (the network gets locked into a never-ending cycle of 
a small number of system states). 

There are two main problems with this type of analysis. First of all, it 
is undecidable whether the analysis will ever terminate. This means that 
there may be an infinite number of possible states. Secondly, even if the 
anlaysis does terminate, there is for any nontrivial protocol a combinatorial 
explosion of states. This means that the number of states may be so large 
that even an automated analysis is impractical, taking days, weeks or years 
of computer time. 

A reachability analysis was performed on the system states; this is 
called system state analysis. The analysis used an abbreviated form of the 
global states. The tuples consisted of the state of each machine and the 
values of its shared variables; local variables were not represented in 
order to keep the size of the tuples small. The network consisted of two 
machines; it is left to further research to expand the analysis to three or 
more machines. The results of this analysis are contained in Part C of this 
section. A total of 630 states were generated for this two-machine 
network, and no errors in the token ring protocol were discovered. 
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B. VERIFYING THE MODEL 

A secondary goal in performing a reachability analysis is to verify the 
proper operation of the model of the protocol. As the model is exercised and 
new system states are reached, the user can check to see that the 
transitions occur in a timely and logical (consistent with the actual 
protocol) manner. The mode} can be fine tuned to correct any deficiencies. 
It can also be modified to simplify the analysis or to bring its behavior 
closer to the actual protocol’s functioning. 

In performing a reachability analysis with systems of communicating 
machines, three errors were discovered in the token ring specification. 
Correcting these errors brought the specification’s behavior in line with the 
protocol’s function and also helped minimize the number of possible states. 

In the original specification, the enabling predicate for the no 
transistion (see Table 1) did not include inbuf(i) = 0. Not including this 
condition meant that a machine in states 2 or 13 could transition without 
having received the address of the frame. The intent of the no transition is 
to continue repeating if either the frame is addressed to someone else or 
this machine does not have room in its buffer for the frame. Adding the 
condition inbuf(i) = O forces the machine to check the address and/or its 
buffers before transitioning. 

The second error in the original specification involved the Ack 
transition. The original specification listed the transition as always 
enabled; a machine in states 4 or 15 could immediately transition. 
Problems arose if the sender had not taken the XEOF transition to state 9 
yet. If the receiver sent an Ack and entered a repeat state, followed by the 
Sender taking the XEOF transition and transmitting a 0, the receiver would 
repeat this O and an extra character would be in the queues. The Ack 
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transition was intended to remove this 0 from the system. Changing the 
enabling predicate for Ack to inbuf(i) = 0 accomplishes this task. 

The third correction to the original specification involved the xXmit 
transition. The Amit transition’s original action was: 

outbuf(o) <-- PDU(r,p); inc(o,p). 
While this action is technically correct, it led to a larger number of states 
than necessary; 1.e., every machine needed to take the Amit transition three 
times in order to transmit a one-character PDU. Modifying the action to: 
outbuf(o) <-- PDU(r,p); inc(o,p) 


and changing the action of the (preceding) To transition to: 
outbuf(o) <-- F; inbuf(i) <-- 0; inc(o,i): 
outbuf(o, o+ 1) <-- DA, SA; inc(o) 


Simplifies this transition and allows the sender to transmit an entire PDU 


in one action. 


C. RESULTS OF THE ANALYSIS 

Table 3 (in the appendix) contains a listing of all the states generated 
with a two-machine network using the systems of communicating machines 
model to specify a token ring network. The num column is a reference 


number for each abbreviated global state. The s, column contains the state 
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of machine |, and similarly the So column contains the state of machine 2. 


The Inbuf, column contains the contents of the inbuf shared variable for 


machine | (and therefore, for this two-machine network, the contents of 


the outbuf shared variable for machine 2); the inbuf., column is the 
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contents of the inbuf shared variable for machine 2 and the outbuf shared 
variable for machine 1. The last column contains tuples made up of a 
transition name and a num reference number. The group of tuples represent 
all possible transitions from the current state; the num reference number 
for each transition directs the reader to the table entry for the new system 
State if that transition is taken. The superscripts on the transition name 
denote the number of the machine (1 or 2) which is taking that particular 
transition; superscripts were used rather than subscripts because some 
transition names contain subscripts already. 
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Vi. CONCLUSIONS AND RECOMMENDATIONS 


This thesis used the systems of communicating machines model to 
specify the IEEE token ring protocol. The thesis then used this specification 
to analyze the protocol. The purpose of this analysis is both to verify the 
protocol functions properly and to verify the correctness of the 
Specification. 

The analysis in Section V proves that the token ring protocol will not 
fail ina two machine network. No states were generated from which there 
is no transition out; therefore, the protocol is deadlock-free. Also, since 
the token passed from one machine to the other with no problems, 
Starvation does not exist in a network which properly installs the token 
ring standard. A close examination of the system states table shows that 
no loops exist, either. The network moves from state to state smoothly, and 
eventually returns to its starting state and starts the communication 
process all over again. 

The analysis in Section V also serves to validate the model of the token 
ring protocol. Exhaustively exercising the model and generating every 
possible state proves the model functions properly. This model can be used 
to evaluate other token ring implementations to test for failure conditions 
and to test how well they conform to the IEEE standard. 

This model makes several simplifying assumptions about the token ring 
protocol. Now that this version of the model has been verified, future 
versions may relieve one or more of those simplifying assumptions in order 


to more closely model the behavior of a token ring network. The model 
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could be modified to allow a station to transmit more than one frame at a 
time when it has the token. This change would require some sort of timing 
mechanism (such as another shared variable, called Clock) in order to model 
the token holding timer. Adding timing to the model would also make it 
more realistic. As the model now stands, one station can transmit several 
characters in a row without the other station reacting. In areal network, 
both stations would be transmitting alternately (actually, one station would 
be transmitting and one would be repeating). With timing in the model, the 
Stations would have to take turns transmitting on the ring. 

There are many ways to add to the model to make it more closely 
resemble the actual protocol. However, the analyst must be careful when 
adding complexity to the model. Adding too much detail can make the model 
too large and unwieldy to be a useful analytical tool. If the model yields too 
many possible system states, it will be too difficult to interpret the 
results of running the model. 

Future research may want to add detail to the model and extend these 
results to a network with three or more machines. Extending the results to 
a network of n machines would prove the protocol wont fail under any 
conditions and would be very worthwhile. 
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TABLE 3: RESULTS OF THE ANALYSIS (cont) 
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